Skip to main content
Calico Enterprise 3.19 (latest) documentation

Failsafe rules

To avoid completely cutting off a host via incorrect or malformed policy, Calico Enterprise has a failsafe mechanism that keeps various pinholes open in the firewall.

By default, Calico Enterprise keeps the following ports open on all host endpoints:

PortProtocolDirectionPurpose
22TCPInboundSSH access
53UDPOutboundDNS queries
67UDPOutboundDHCP access
68UDPInboundDHCP access
179TCPInbound & OutboundBGP access (Calico networking)
6443TCPInbound & OutboundKubernetes API server access

The lists of failsafe ports can be configured via the configuration parameters FailsafeInboundHostPorts and FailsafeOutboundHostPorts described in Configuring Felix . They can be disabled by setting each configuration value to "[]".

note

Removing the inbound failsafe rules can leave a host inaccessible.

Removing the outbound failsafe rules can leave Felix unable to connect to the datastore.

Before disabling the failsafe rules, we recommend creating a policy to replace it with more-specific rules for your environment: see Creating policy for basic connectivity.